Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Trailrunner7 (1100399) writes "For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack.

Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers.

“The 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to ‘access’ communications, while allegedly providing crypto that was still ‘good enough’ for commercial use. Or if you prefer modern terms, think of it as the original ‘golden master key‘," said cryptographer Matt Green of Johns Hopkins University.

The vulnerability affects a variety of clients, most notably Apple’s Safari browser. The bug was discovered by a large group of researchers from Microsoft Research and the French National Institute for Research in Computer Science and Control, and they found that given a server that supports export-grade ciphers and a client that accepts those weak keys, an attacker with a man-in-the-middle position could force a client to downgrade to the weak keys. He could then take the key and factor it, which researchers were able to do in about seven and a half hours, using Amazon EC2. And because it’s resource-intensive to generate RSA keys, servers will generate one and re-use it indefinitely."

Even as fresh revelations about the extent of the NSA’s efforts to get access to encryption keys for mobile communications continue to unspool, the agency’s director is advocating for some form of legal, direct access to encrypted communications. Mike Rogers, director of the NSA and head of the U.S. Cyber Command, said at an event yesterday that it’s important for a legal framework to be put in place to govern how intelligence agencies can access secure communications.Bruce Schneier, cryptographer and CTO of Resilient Systems, asked Rogers directly about that problem during the event held by the New America Foundation and was unsatisfied by the answer. For Schneier, the rhetoric and the lack of technical understanding coming from the government are eerily reminiscent of the crypto wars of the 1990s.

“If someone sat Rogers down and described Clipper to him, I think he would say, ‘I want that,'” Schneier said. “He says we need a legal rule, but that can’t solve the technical problems. This is a place where policy and technology collide in a way that it limits the solution space. There’s a belief that this is just a technical problem and we can solve it.”"

Some of the techniques the group has used are closely associated with tactics employed by the NSA, specifically the interdiction operations and the use of the LNK vulnerability exploit by Stuxnet.

The Equation Group has a massive, flexible and intimidating arsenal at its disposal. Along with using several zero days in its operations, the attack crew also employs two discrete modules that enable them to reprogram the hard drive firmware on infected machines. This gives the attackers the ability to stay persistent on compromised computers indefinitely and create a hidden storage partition on the hard drive that is used to store stolen data. At the Security Analyst Summit here Monday, researchers at Kaspersky presented on the Equation Group’s operations while publishing a new report that lays out the inner workings of the crew’s tools, tactics and target list. The victims include government agencies, energy companies, research institutions, embassies, telecoms, universities, media organizations and others. Countries targeted by this group include Russia, Syria, Iran, Pakistan, China, Yemen, Afghanistan, India but also US and UK, between and several others."

Trailrunner7 (1100399) writes "WordPress has become a huge target for attackers and vulnerability researchers, and with good reason. The software runs a large fraction of the sites on the Internet and serious vulnerabilities in the platform have not been hard to come by lately. But there’s now a bug that’s been disclosed in all versions of WordPress that may allow an attacker to take over vulnerable sites.

The issue lies in the fact that WordPress doesn’t contain a cryptographically secure pseudorandom number generator. A researcher named Scott Arciszewski made the WordPress maintainers aware of the problem nearly eight months ago and said that he has had very little response.

The consequences of an attack on the bug would be that the attacker might be able to predict the token used to generate a new password for a user’s account and thus take over the account. Arciszewski has developed a patch for the problem and published it, but it has not been integrated into WordPress. He said he has had almost no communication from the WordPress maintainers about the vulnerability, save for one tweet from a lead developer that was later deleted.

Arciszewski said he has not developed an exploit for the issue but said that an attacker would need to be able to predict the next RNG seed in order to exploit it.

“There is a rule in security: attacks only get better, never worse. If this is not attackable today, there is no guarantee this will hold true in 5 or 10 years. Using/dev/urandom (which is what my proposed patch tries to do, although Stefan Esser has highlighted some flaws that would require a 4th version before it’s acceptable for merging) is a serious gain over a userland RNG,” he said by email."

Trailrunner7 (1100399) writes "The last year has seen a big swing in the support from the technology community for open-source security tools, many of which are maintained by tiny staffs or volunteers. OpenSSL last year received a large chunk of funding from the Core Infrastructure Initiative, and now it’s GnuPG’s turn.

After a story on ProPublica Thursday publicized the plight of Werner Koch, the creator and lone full-time developer of the encryption software, who was running low on money to fund the project, members of the security and technology communities began a word-of-mouth campaign to raise money to help. These kinds of campaigns can fizzle out quickly, but not this time. In less than a day, the GnuPG project received more than €120,000 in donations from individuals around the world.

In addition to the €120,000 in donations from individual supporters, the CII, which is supported by the Linux Foundation, has given GnuPG a $60,000 grant for this year. Also, both Facebook and Stripe, the payment processor GnuPG uses, have pledged $50,000 each to support the project."

Trailrunner7 (1100399) writes "Attackers have compromised Anthem Inc., one of the larger health-care companies in the United States, gaining access to the Social Security numbers, birth dates, names, employment and income data and other personal information of an untold number of customers.

The company says it is not sure yet how many customers are affected, but Anthem claims to have 69 million customers across its product lines. In a statement, Anthem, which was previously known as WellPoint Health Networks, said that the company was the victim of a targeted, sophisticated attack.

Given the size of the Anthem customer base, this could turn out to be one of the larger data breaches in U.S. history. The scope of the information the attackers obtained could give them broad access to victims’ personal lives.

“If confirmed, we are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry. If you are wondering what it means for individuals, in a few words: it is a nightmare,” said Jamie Blasco, vice president and chief scientist at AlienVault."

Trailrunner7 (1100399) writes "In the years since Edward Snowden began putting much of the NSA‘s business in the street, including its reliance on the secret FISA court and National security Letters, warrant canaries have emerged as a key method for ISPs, telecoms and other technology providers to let the public know whether they have received any secret orders. But keeping track of the various canaries scattered around the Web is difficult, so a group of legal and civil liberties organizations have come together to launch a new site to monitor the known warrant canaries.

The Canary Watch site is the work of the EFF, the Berkman Center for Internet and Society and NYU’s Technology Law and Policy Center and it works on a simple concept. The site maintains a list of all of the known warrant canaries and periodically checks each organization’s site to see whether the canary is still there and then lists any changes to the status.

“Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about,” Nadia Kayyali of the EFF said in a blog post."

An anonymous reader writes "Security researcher Simone Margaritelli has reverse engineered the Bluetooth low-energy communications protocol for his Nike+ FuelBand SE, a wrist-worn activity tracker. He learned some disturbing fact: "The authentication system is vulnerable, anyone could connect to your device. The protocol supports direct reading and writing of the device memory, up to 65K of contents. The protocol supports commands that are not supposed to be implemented in a production release (bootloader mode, device self test, etc)." His post explains in detail how he managed this, and how Nike put effort into creating an authentication system, but then completely undermined it by using a hard-coded token. Margaritelli even provides a command list for the device, which can do things like grab an event log, upload a bitmap for the screen, and even reset the device."Link to Original Source

msm1267 (2804139) writes "Less than 48 hours after the disclosure of the Ghost vulnerability in the GNU C library (glibc), researchers have uncovered that PHP applications, including the WordPress content management system, could be another weak spot and eventually in the crosshairs of attackers.

Ghost is a vulnerability in glibc that attackers can use against only a handful of applications right now to remotely run executable code and gain control of a Linux server. The vulnerability is a heap-based buffer overflow and affects all Linux systems, according to experts, and has been present in the glibc code since 2000.

“An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL,” wrote Sucuri research Marc-Alexandre Montpas in an advisory published Wednesday. “And it does so by using gethostbyname(). So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.”"Link to Original Source

Marriott last year paid a fine of $600,000 to settle an FCC enforcement action that resulted from a customer complaint. A guest complained that while staying at the Gaylord Opryland hotel in Tennessee his personal WiFi hotspot was being blocked and he was being forced to pay to use the hotel’s network. The investigation by the FCC found that in some cases the hotel’s network would send de-authentication packets to the personal hotspots used by guests, forcing their devices to disconnect.

Now, the FCC is making it clear that the Enforcement Bureau is looking closely at this kind of behavior, not just by hotel operators, but by any commercial business.

“Willful or malicious interference with Wi-Fi hot spots is illegal. Wi-Fi blocking violates Section 333 of the Communications Act, as amended.1 The Enforcement Bureau has seen a disturbing trend in which hotels and other commercial establishments block wireless consumers from using their own personal Wi-Fi hot spots on the commercial establishment’s premises. As a result, the Bureau is protecting consumers by aggressively investigating and acting against such unlawful intentional interference,” the Federal Communications Commission said in a statement issued this week."

The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.

“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov today in a published report."

Trailrunner7 (1100399) writes "The gauges that detect and prevent fuel leaks at more than 5,000 gas stations in the United States are utterly vulnerable to remote attacks, according to new research conducted by HD Moore of Rapid7. The gauges are manufactured by Veeder-Root, who says it is working with its customers better enable available security features.

Automated tank gauges (ATGs), as they are called, monitor fuel levels in gas station storage tanks and trigger alarms in compliance with environmental regulations when fuel tanks are overfilled. The risk posed to these gas stations — roughly three percent of the 150,000 station in the U.S. — are serious and could enable hackers to completely shut down the stations containing the vulnerable ATGs.

“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board,” Moore explained on Rapid7’s Security Street blog. “In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001.”"

The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks.

The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn’t being used against Chrome or Firefox.

On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1."

French security researcher Kafeine has spotted a version of the Angler kit that’s firing exploits for several vulnerabilities in Flash, including two known bugs. But the big problem is that the kit also has exploit code for what appears to be a zero-day in the latest version of Flash, version 16.0.0.257. Kafeine said that he first spotted the exploit for the zero-day in Flash on Wednesday and that it is being used to install a piece of malware known as Bedep.

The researcher said that not all instances of Angler are using the new Flash zero-day exploit, nor is it being used against all of the popular browsers. In his tests, Kafeine found that IE 10 on Windows 8, IE 8 on Windows 7 and IE 6-9 on Windows XP all are being exploited. Chrome is not being targeted and fully patched Windows 8.1 is not exploitable, he said.

Trailrunner7 (1100399) writes "Oracle on Tuesday will release a huge number of security fixes as part of its quarterly critical patch update, and one of them is a patch for a vulnerability that a well-known security researcher said looks a lot like a back door but was likely just a terrible mistake.

The flaw is found in Oracle’s eBusiness Suite, a set of apps that includes financial management, CRM and other functions. David Litchfield, an accomplished security researcher who has been poking holes in Oracle products for more than a decade, discovered the vulnerability and reported it to the vendor last year.

A remote attacker could have the ability gain control of an affected database, which is game over for the target system. Litchfield said that when he discovered the vulnerability on a client’s network, his first thought was that the client had been owned and the attacker had left the back door there for later use.

Despite how bad the vulnerability looks, Litchfield said he doesn’t think that it is actually an intentional back door inserted for law enforcement or an intelligence agency.

“I don’t think Oracle as a company would do that. Could it be a disgruntled employee? Maybe, though, giving them the benefit [of the] doubt, it could be that some dev was testing something and they forgot to turn it off. Who knows. What is concerning however is that Oracle seem not to know who and why this privilege was granted, either,” he said."